A personal friend of mine’s Yahoo account was recently hacked by a Nigerian scammer. I know this because the email I got (“I’m stuck in the Philippines and need you to wire money”) had an IP address in a “Received” header that pointed squarely at Lagos, Nigeria. The modus operandi of these scammers is well understood. They erased my friend’s address book to make it harder to contact friends and family and alert them. The email they sent out also had a “Reply-To” field that directs subsequent conversations to a Hotmail account of the same username. I bantered back and forth with the scammer, but wasn’t able to accomplish much of interest before Hotmail abuse staff, who I concurrently notified, shut down the account. Now my friend has to clean up the mess left behind by the scammer.
I’ve exchanged some email with industry insiders, and it seems that these scammers are constantly changing their tactics, making it difficult to automatically squash them. Much like spammers, these scammers are adept at staying one step ahead.
Despite this, one thing really stood out: this specific scammer kept on about the importance of sending money via Western Union. Please wire some money immediately. Every email. I’m reminded of the great work the UCSD crew have been doing on spam, where they notably found that a small number of credit card merchant banks were enabling the bulk of the payments for Viagra, fake Rolex watches, and the like. Shut down those merchant banks, and the spammers’ business model collapses.
My Nigerian scammer gave me a seemingly legitimate street address for a Western Union office in Manilla, but they can pick up the money anywhere in the world. All they need is the “money transfer control number” (MTCN). There’s no need for them show any form of ID. Shocking idea: Western Union can single-handedly destroy this market by changing how they operate. How?
- Allow the sender of money to specify the destination country or a specific Western Union office.
- Allow the sender to require the recipient to present identification.
- Allow the sender to include a photograph of the recipient, which the remote office will validate.
These sorts of methods would raise the bar against scammers, but wouldn’t defeat scammers operating with a collaborating Western Union agent (e.g., one getting a share of the profit). The only way to really stop this is to change the business model. Currently, according to Western Union’s FAQ, “If the receiver has already picked up the funds, this money is gone and we won’t be able to refund your money.” Western Union should be required to insure all money senders against the recipient being a scammer. Once the sender figures out they’ve been scammed and can offer some modicum of proof (e.g., a statement from Hotmail that an account was shut down because it was controlled by a scammer), Western Union should be obligated to refund the money. Of course, Western Union and other such services would be horrified by such a requirement. Too bad! The onus should be on Western Union and other such services to invent technologies or procedures (such as my bullet points above) to defeat scammers, and they should protect their money-sending clients against fraudulent recipients just like credit card companies protect their customers against fraudulent merchants.
Give Western Union and other such services an incentive to solve this problem on their own, by placing the onus of liability on them, and they’ll come up with creative ways to fix the problem, up to and including refusing to do business in countries like Nigeria where the scammers seem to operate with impunity. This entire class of scamming attack will be dealt a mortal blow. Of course, there will always be other ways to move money around, but it’s fundamentally much harder for the scammers to find new ways to move cash than it is for them to find new ways around spam and phishing filters. Western Union: you’re the choke point. Get on it.